achieving keyless cdns with conclaves
play

Achieving Keyless CDNs with Conclaves Stephen Herwig Christina - PowerPoint PPT Presentation

Oct 08, 2022 •232 likes •1.21k views

Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin User Bank Content Delivery Networks host their customers websites customers origin server Content Delivery Networks host their customers websites

  1. Achieving Keyless CDNs with Conclaves Stephen Herwig Christina Garman Dave Levin

  2. User Bank

  3. Content Delivery Networks host their customers’ websites customer’s origin server

  4. Content Delivery Networks host their customers’ websites CDN’s CDNs edge server customer’s origin server

  5. CDNs CDNs reduce page load times CDN’s edge server customer’s origin server

  6. CDNs CDNs reduce page load times CDN’s edge server customer’s origin server

  7. CDNs CDNs mitigate and block attacks CDN’s edge server customer’s origin server

  8. CDNs CDNs mitigate and block attacks CDN’s edge server customer’s origin server

  9. Customers share their keys with CDNs CDN’s edge server

  10. Customers share their keys with CDNs CDN’s edge server bank’s private key

  11. Key sharing is widespread Cangialosi et al., CCS 2016

  12. Key sharing is widespread 43% of the top 10k 
 most popular websites Fraction of Domains Hosted 1 on Third-party Providers At least one key shared All keys shared 0.8 0.6 0.4 0.2 0 0 200k 400k 600k 800k 1M Alexa Site Rank (bins of 10,000) Cangialosi et al., CCS 2016

  13. Key sharing is widespread 43% of the top 10k 
 most popular websites Fraction of Domains Hosted 1 on Third-party Providers At least one key shared All keys shared 0.8 0.6 0.4 0.2 0 0 200k 400k 600k 800k 1M Alexa Site Rank (bins of 10,000) Cangialosi et al., CCS 2016 The web has consolidated keys in the hands of a few CDNs

  14. Keyless SSL Introduced by Cloudflare to mitigate key sharing

  15. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin)

  16. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  17. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  18. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  19. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  20. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  21. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key

  22. Keyless SSL Introduced by Cloudflare to mitigate key sharing Private keys stay at the key server (origin) Key server performs actions requiring private key The CDN learns all session keys

  23. Keyless SSL Introduced by Cloudflare to mitigate key sharing In practice: 
 CDN Private keys stay at the key server (origin) Key server performs actions requiring private key The CDN learns all session keys

  24. Can we Maintain privacy using Legacy applications on Third-party resources ?

  25. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications Third-party resources

  26. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources

  27. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs

  28. Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs

  29. Phoenix Maintain privacy The CDN is no more trusted 
 than a standard on-path attacker Legacy applications No changes to existing code-bases; 
 facilitates deployment and adoption Third-party resources Leverage the existing infrastructure. One additional assumption: TEEs

  30. Trusted execution environments By default, assume all system components are untrusted Application Code Operating 
 Service System Hardware

  31. Trusted execution environments By default, assume all system components are untrusted Application Code Operating 
 Service System Hardware Small trusted CPU 
 Resistant to physical attacks

  32. Trusted execution environments By default, assume all system components are untrusted Enclave: Isolated 
 application memory Application Enclave Code Operating 
 Service System Hardware Small trusted CPU 
 Resistant to physical attacks

  33. Trusted execution environments By default, assume all system components are untrusted Enclave: Isolated 
 application memory Application Enclave Code Operating 
 Service System Hardware Small trusted CPU 
 Resistant to physical attacks Model: Code and data can safely reside inside an enclave

  34. Practical limitations of TEEs Applications inside enclaves cannot make syscalls Application Enclave Code Syscalls Operating 
 Service System Untrusted Hardware

  35. libOSes Idea: Implement a small “OS” inside the enclave Enclave Operating 
 Service System Hardware

  36. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code libOS Service Operating 
 Service System Hardware

  37. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" libOS Service Operating 
 Service System Hardware

  38. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" Service locally 
 libOS Service when possible Operating 
 Service System Hardware

  39. libOSes Idea: Implement a small “OS” inside the enclave Enclave Application Code "Syscalls" Service locally 
 libOS Service when possible Syscalls Operating 
 Service System Hardware

  40. Graphene-SGX A libOS for Intel SGX that supports some services Tsai et al., ATC 2017

  41. Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: fork exec pipes, signals, semaphores Tsai et al., ATC 2017

  42. Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Web Application 
 Needs 
 plaintext Firewall Needs 
 Key Server safe 
 storage

  43. Graphene-SGX A libOS for Intel SGX that supports some services Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Also critical to a CDN: Web Application 
 Reading & writing files Needs 
 plaintext Firewall Shared memory Access to private keys Needs 
 Key Server safe 
 storage

  44. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Web Application 
 Needs 
 plaintext Firewall Needs 
 Key Server safe 
 storage

  45. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Graphene’s supported services: What constitutes a CDN? fork Multiple 
 Web server exec tenants pipes, signals, semaphores Needs 
 Cache disk Also critical to a CDN: Web Application 
 Reading & writing files Needs 
 plaintext Firewall Shared memory Access to private keys Needs 
 Key Server safe 
 storage

  46. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Web server Enclave Cache Cache Key Server Cache Web Application 
 Firewall Web Application 
 Firewall Web Application 
 Firewall Insight: Treat enclaves like a distributed system 
 Implement services using kernel servers

  47. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Web server Enclave Cache TLS Cache Key Server Cache Web Application 
 Firewall Web Application 
 Enclaves mutually 
 Firewall Web Application 
 authenticate via Firewall attested TLS Knauth et al., 2018 Insight: Treat enclaves like a distributed system 
 Implement services using kernel servers

  48. Phoenix The first truly keyless CDN Conclaves Con tainers of en claves Enclave Enclave Web server Enclave Web server Private key operation Web server Enclave Cache TLS Cache Key Server Cache Web Application 
 Firewall Web Application 
 Enclaves mutually 
 Firewall Web Application 
 authenticate via Firewall attested TLS Knauth et al., 2018 Insight: Treat enclaves like a distributed system 
 Implement services using kernel servers

Recommend

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
1 Slashdot Effect 2 Existing Commerical CDNs 3 Build your own solution Expensive to set

1 Slashdot Effect 2 Existing Commerical CDNs 3 Build your own solution Expensive to set

1 Slashdot Effect 2 Existing Commerical CDNs 3 Build your own solution Expensive to set up Only cost effective at massive scale Purchase from provider Expensive Requires prior knowledge of demand Existing Free CDNs 4

557 views • 21 slides
bolt bolt Leading bolt Competitor bolt bolt Keyless Electric System + Simplified Lock Form

bolt bolt Leading bolt Competitor bolt bolt Keyless Electric System + Simplified Lock Form

bolt bolt Leading bolt Competitor bolt bolt Keyless Electric System + Simplified Lock Form Convenience bolt Degrees of Freedom bolt Degrees of Freedom bolt Keyless Unlocking > 5 ft < 5 ft bolt Keyless Unlocking > 5 ft

693 views • 30 slides
Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

627 views • 34 slides
Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

487 views • 37 slides
Stuff I do Follow me! https://pasztor.at @janoszen About this talk 1. The problem with CDNs

Stuff I do Follow me! https://pasztor.at @janoszen About this talk 1. The problem with CDNs

Stuff I do Follow me! https://pasztor.at @janoszen About this talk 1. The problem with CDNs About this talk 1. The problem with CDNs 2. How does a CDN work? About this talk 1. The problem with CDNs 2. How does a CDN work? 3. Static

1.32k views • 95 slides
Use Cases for ALTO within CDNs

Use Cases for ALTO within CDNs

Use Cases for ALTO within CDNs dra6-jenkins-alto-cdn-use-cases-01 Ben Niven-Jenkins Grant Watson, Nabil Bitar, Jan Medved, Stevano Previdi,

419 views • 5 slides
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J oesuu TL; DR Built a practical signature scheme without modular

585 views • 25 slides
Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009

Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009

Introduction Theory Results Conclusion Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009 Dick Visser and Jarno van de Moosdijk Car security: remote keyless entry and go Introduction

388 views • 24 slides
ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO

ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO KASPER, PIERRE PAVLIDES PRESENTED BY JACOB BEDNARD, WAYNE STATE UNIVERSITY CSC5991 MAJOR CONTRIBUTIONS VW Group

668 views • 40 slides
The National Adoption Service Suzanne Griffiths, Director of Achieving More Together Achieving

The National Adoption Service Suzanne Griffiths, Director of Achieving More Together Achieving

The National Adoption Service Suzanne Griffiths, Director of Achieving More Together Achieving More Together Operations Achieving More Together / Cyflawni Mwy Gydan Gilydd Y Dirprwy Weinidog dros y Gwasanaethau Cymdeithasol, Rhagfyr 2012

538 views • 14 slides
achieving better outcomes achieving better outcomes and some thoughts on wellbeing and

achieving better outcomes achieving better outcomes and some thoughts on wellbeing and

The role of science and modelling in achieving better outcomes achieving better outcomes and some thoughts on wellbeing and sustainability Professor Steve Hatfield-Dodds Presentation to ESCAP Study Tour, Canberra, 11 September 2013 CSIRO

224 views • 21 slides
Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon,

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon,

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon, Boris Danev, Srdjan apkun Monday February 7, 2011 System Security Group 1 Modern Cars Evolution Increasing amount of electronics in cars

552 views • 24 slides
New levels of cooperation between eyeball ISPs and OTT/CDNs. RIPE 75 Dubai Oct 24, 2017

New levels of cooperation between eyeball ISPs and OTT/CDNs. RIPE 75 Dubai Oct 24, 2017

New levels of cooperation between eyeball ISPs and OTT/CDNs. RIPE 75 Dubai Oct 24, 2017 Falk von Bornstaedt, DTAG ICSS 1 LACK OF TRANSPARENCY IMPAIRS internet performance Clouds & Content Traffic Generators Operators Users

485 views • 11 slides
Evaluation of Replica Placement and Retrieval Algorithms in Self Organizing CDNs Jan Coppens,

Evaluation of Replica Placement and Retrieval Algorithms in Self Organizing CDNs Jan Coppens,

Evaluation of Replica Placement and Retrieval Algorithms in Self Organizing CDNs Jan Coppens, Tim Wauters, Filip De Turck, Bart Dhoedt and Piet Demeester IFIP/IEEE International Workshop onSelf-Managed Systems & Services (SELFMAN)

772 views • 18 slides
DNS and CDNs 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer

DNS and CDNs 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer

DNS and CDNs 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer Networking: A Top Down Approach, 6 th edition. J.F. Kurose and K.W. Ross Administrivia HW #1 is posted Mission: Learn to use network tools to gather

1.23k views • 59 slides
Drongo Speeding Up CDNs with Subnet Assimilation from the Client CoNEXT 17 Authors: Incheon,

Drongo Speeding Up CDNs with Subnet Assimilation from the Client CoNEXT 17 Authors: Incheon,

Drongo Speeding Up CDNs with Subnet Assimilation from the Client CoNEXT 17 Authors: Incheon, South Korea Marc Anthony Warrior CDN & Caching Session Uri Klarman Marcel Flores Aleksandar Kuzmanovic Birds Eye View What is

1.21k views • 104 slides
Identifying Performance Bottlenecks in CDNs through TCP-Level Monitoring Peng Sun Minlan Yu,

Identifying Performance Bottlenecks in CDNs through TCP-Level Monitoring Peng Sun Minlan Yu,

Identifying Performance Bottlenecks in CDNs through TCP-Level Monitoring Peng Sun Minlan Yu, Michael J. Freedman, Jennifer Rexford Princeton University August 19, 2011 Performance Bottlenecks CDN Servers Server APP Internet Clients

192 views • 15 slides
Comparison of BitTorrent with Traditional Content Distribution Networks (CDNs) ENSC 835 High

Comparison of BitTorrent with Traditional Content Distribution Networks (CDNs) ENSC 835 High

Comparison of BitTorrent with Traditional Content Distribution Networks (CDNs) ENSC 835 High Performance Networks Catherine Chan Sean Puttergill Roadmap Introduction & Motivation Overview of Related Work Technical

374 views • 23 slides
Held Hostage? The Influence of Major ASes and CDNs on the Internet Original Idea The

Held Hostage? The Influence of Major ASes and CDNs on the Internet Original Idea The

Held Hostage? The Influence of Major ASes and CDNs on the Internet Original Idea The Internet is strongly hierarchical Original maps ( Rexford 2001 ) show the Inner Core lies in fs ee - speech countries US, France, Sweden But the

557 views • 16 slides
INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie & Francois le Faucheur

INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie & Francois le Faucheur

INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie & Francois le Faucheur Outline Background: peering peer-to-peer providers CDN Interconnect Motivation CDNI Technical Issues Discussion Why is this a

876 views • 19 slides
John S. Otto Fabin E. Bustamante Northwestern, EECS AIMS-4 CAIDA, SDSC, San Diego, CA Feb 10,

John S. Otto Fabin E. Bustamante Northwestern, EECS AIMS-4 CAIDA, SDSC, San Diego, CA Feb 10,

John S. Otto Fabin E. Bustamante Northwestern, EECS AIMS-4 CAIDA, SDSC, San Diego, CA Feb 10, 2012 http://aqualab.cs.northwestern.edu CDNs direct web clients to nearby content replicas Several motivations for using CDNs

354 views • 20 slides
Achieving the Dream For Prospective Colleges Fall 2010 Achieving the Dream is a bold national

Achieving the Dream For Prospective Colleges Fall 2010 Achieving the Dream is a bold national

Achieving the Dream For Prospective Colleges Fall 2010 Achieving the Dream is a bold national effort to help community college students succeed ATD defines student success as earning degrees or certificates, or transferring to a four-year

584 views • 21 slides
Achieving Operational Efficiency of Research Institutes using ICT 16 th April 2018 Achieving

Achieving Operational Efficiency of Research Institutes using ICT 16 th April 2018 Achieving

Achieving Operational Efficiency of Research Institutes using ICT 16 th April 2018 Achieving Operational Efciency using ICT Research at the Enabling Core services Finance provide support Human Collaboration Resource Research Funding

365 views • 9 slides

More recommend